From b133ccd4950b387f3d82d87a78e279cd3881e2e5 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Wed, 24 Nov 2021 20:51:09 +0100 Subject: [PATCH 1/5] Add enumeration of common dnsmasq warnings Signed-off-by: DL6ER --- docs/ftldns/dnsmasq_warn.md | 247 ++++++++++++++++++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 248 insertions(+) create mode 100644 docs/ftldns/dnsmasq_warn.md diff --git a/docs/ftldns/dnsmasq_warn.md b/docs/ftldns/dnsmasq_warn.md new file mode 100644 index 0000000..8830cfb --- /dev/null +++ b/docs/ftldns/dnsmasq_warn.md @@ -0,0 +1,247 @@ +# Known `dnsmasq` warnings + +Warnings commonly seen in `dnsmasq`'s log file (`/var/log/pihole.log`) and the Pi-hole diagnosis system. + +## ignoring zone transfer request from `ADDRESS` + +Zone transfer requests (AXFR) are refused *unless* `auth-sec-servers` or `auth-peers` is set. The address requesting the AXFR is logged. + +## DHCP request for unsupported hardware type (`X`) received on `Y` + +`dnsmasq` only supports Ethernet on *BSD. The integer `X` describes the hardware type (see `/usr/include/linux/if_arp.h` for definitions). `Y` is the name of the receiving interface. + +## Unknown protocol version from route socket + +As the warning says. No action is performed in this case. + +## No IPv4 address found for `HOSTNAME` + +Lookup for an A record in the cache returned no result. + +## `HOSTNAME` is a CNAME, not giving it to the DHCP lease of `ADDRESS` + +A hostname claimed by a DHCP client is a known CNAME. `dnsmasq` des + +## not giving name `HOSTNAME` to the DHCP lease of `ADDRESS` because the name exists in `SOURCE` with address `CACHE_ADDR` + +If `HOSTNAME` is known through a HOSTS file or config (see `SOURCE`) and the DHCP address `ADDRESS` does *not* match the address in the cache (`CACHE_ADDR`), `dnsmasq` prevents giving the name to a DHCP client. This prevents possible hostname hijacking by malicious devices. + +## unknown interface `IF_NAME` in bridge-interface + +If the interface on which the DHCPv6 request was received is an alias of some other interface (as specified by the `bridge-interface` option), `dnsmasq` needs to look for DHCPv6 contexts associated with the aliased interface instead of with the aliasing one. This warning complains that the referenced interface does not exist. + +## DHCP packet received on `IF_NAME` which has no address + +No DHCP context has been configured for this interface. Check your DHCP settings. + +## Error sending DHCP packet to `ADDRESS`: `MSG` + +This can fail when, e.g., `iptables` `DROPS` destination `255.255.255.255`. Check your firewall settings. + +## DHCP range `ADDRESS_FROM` -- `ADDRESS_TO` is not consistent with netmask `SUBNET_MASK` + +This warning highlights that one of the two addresses is outside of the configured subnet mask. As a consequence, not all addresses may be reachable from configured hosts leading to unexpected behavior on the clients. Make your DHCP settings consistent. + +## Ignoring duplicate dhcp-option `OPTNUM` + +DHCP options specified more than once are ignored. The corresponding option ID is given by `OPTNUM` + +## `HOSTNAME` has more than one address in hostsfile, using `ADDRESS` for DHCP + +Some people like to keep all static IP addresses in `/etc/hosts`. `dnsmasq` goes through `/etc/hosts` and sets static addresses for any DHCP config records which don't have an address and whose name matches qhere `dnsmasq` maintains the invariant that any IP address can appear in at least one DHCP host. + +## duplicate IP address `ADDRESS` (`HOSTNAME`) in dhcp-config directive + +As the warning says. + +## cache size greater than 10000 may cause performance issues, and is unlikely to be useful. + +This causes the cache to consume a lot on memory and slows down cache lookups. As expiring cache entries naturally make room for new records, a large cache does not give any advantages beyond a certain level. This level is typically not very high. Try reducing the cache. Watch out for cache-evictions. If they are zweo over a long time, your cache is larger than what you need. + +## warning: failed to change owner of `PIDFILE`: `MSG` + +Changing the ownership of the PID file (`PIDFILE`) to the user `dnsmasq` will be running as failed. A descriptive error message (`MSG`) is given to explain why the `chown` failed. + +## setting --bind-interfaces option because of OS limitations + +Only affects non-Linux builds. `bind-dynamic` is not supported on non-Linux. `dnsmasq` falls back to `bind-interfaces` + +## warning: interface `NAME` does not currently exist + +As the warning says. Likely caused by an `interface=NAME` option where the interface `NAME` does not exist. Check if your operating system may have changed from simple (like `eth0`) to predictable (like `enp2s0`) interface names. Update your configuration accordingly. + +## warning: ignoring resolv-file flag because no-resolv is set + +This points to a conflicting configuration that may not behave as expected. Remove either the `resolv-file` or the `--no-resolv` option. + +## warning: no upstream servers configured + +Only local names can be answered as no `server=...` lines are defined. + +## warning: `TFTP_PREFIX` inaccessible + +The TFTP prefix (set by `tftp-prefix`) is inaccessible or not a directory. + +## warning: TFTP directory %s inaccessible + +One of the defined TFTP prefix (comma-separated arguments of `tftp-prefix`) is inaccessible or not a directory. + +## restricting maximum simultaneous TFTP transfers to `NUMBER` + +If a limited range of ports is in use, this also limits the number of concurrent TFTP transfers. + +## script process killed by signal `SIGNUM` + +A script helper was killed by an external signal (`SIGNUM`). + +## script process exited with status `EXITCODE` + +A script helper exited with a non-success return code (`EXITCODE`). + +## failed to access `RESOLV_FILE`: `MSG` + +This line is logged when `dnsmasq` fails to access one of the files defined through `resolv-file`. This warning is printed only once per file. + +## no servers found in `RESOLV_FILE`, will retry + +The read file was empty. `dnsmasq` will read it again. This warning is printed only once per file. + +## Insecure DS reply received for `DOMAIN`, check domain configuration and upstream DNS server DNSSEC support + +A query was marked BOGUS because a DS query could not be validated (returned INSECURE). + +## discarding DNS reply: subnet option mismatch + +When the EDNS0 option `add-subnet` is in use, `dnsmasq` needs to check the reply. If the returned subnet does not match, the reply is treated as invalid. + +## nameserver `ADDRESS` refused to do a recursive query + +Upstream at address `ADDRESS` is missing the `RA` (recursion available) bit. This warning is printed only once per server. + +## possible DNS-rebind attack detected: `NAME` + +`A` and `AAAA` answers are checked against possible rebind attacks when `stop-dns-rebind` is enabled. See `rebind-domain-ok=/domain/` for adding exceptions. + +## reducing DNS packet size for nameserver `ADDRESS` to `SAFE_PKTSZ` + +When receiving anwers from upstream only with a smaller maximum DNS packet size, `dnsmasq` remembers this decision and makes it permanent in the current session. + +## Ignoring query from non-local network + +`dnsmasq` can be configured to only accept queries from at-most-one-hop-away addresses using the option `local-service`. Other queries are discarded in this case. This is ment to be a safe default to keep otherwise unconfigured installations safe. Note that `local-service` is ignored if *any* access-control config is in place (`interface`, `except-interface`, `listen-address` or `auth-server`). + +## Maximum number of concurrent DNS queries reached (max: `NUMBER`) + +The configured maximum number of concurrent DNS queries has been reached. The system is either very busy at the moment or not receiving queries from the configured upstream. Check your connectivity or the upstream DNS server status. The warning can also be printed when being spammed with an excessive amount of duplicates. It is printed at most once every five seconds. + +## Maximum number of concurrent DNS queries to `DOMAIN` reached (max: `NUMBER`) + +Same as above but for a specific domain. + +## ignoring invalid line in lease database: `STRING` `STRING` `STRING` `STRING` ... + +An invalid line in the lease file has been skipped. + +## ignoring invalid line in lease database, bad address: `ADDRESS` + +Address found in the lease file is neither a valid IPv4 nor a valid IPv6 address. The line is skipped. + +## Ignoring domain `CONFIG_DOMAIN` for DHCP host name `HOSTNAME` + +A DHCP client is not allowed to claim name `HOSTNAME` in the current DHCP configuration. + +## overflow: `NUMBER` log entries lost + +When using asynchroneous logging and the disk is too slow, we can loose log lines during busy times. This can be avoided by decreasing the system load or switching to synchroneous logging. Note that synchroneous logging has the disadvantage of blocking DNS resolution when waiting for the log to be written to disk. + +## failed to create listening socket for `ADDRESS`: `MSG` + +A failure to bind addresses given by `listen-address` is accepted when `dnsmasq` is configured with `bind-dynamic`. + +## failed to create listening socket for port `NUMBER`: `MSG` + +Same as above but for a port rather than an address. + +## LOUD WARNING: listening on `ADDRESSS` may accept requests via interfaces other than `IFNAME` + +When using `bind-interfaces`, the only access control is the addresses `dnsmasq` is listening on. There's nothing to avoid a query to the address of an internal interface arriving via an external interface where we don't want to accept queries, except that in the usual case the addresses of internal interfaces are RFC1918. When `bind-interfaces` in use, and we listen on an address that looks like it's probably globally routeable, this warning is printed. + +## LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s) + +Advise printed when above's warning is printed. This warning is printed only once. + +## warning: using interface `IF_NAME` instead + +When configuring an interface alias (like `eth0:0`), `dnsmasq` will be listening on the physical (e.g. `eth0`) interface, instead. + +## warning: no addresses found for interface `IF_NAME` + +`dnsmasq` has been configured to listen on an interface that has no address assigned to it. + +## ignoring nameserver `ADDRESS` - local interface + +At least one `server` directive is redundant and point to the `dnsmasq` instance itself. The server is ignored. + +## ignoring nameserver `ADDRESS` - cannot make/bind socket: `MSG` + +`dnsmasq` failed to allocate a socket for the mentioned server. The server is ignored. + +## no address range available for DHCP request with subnet selector `SUBNET` + +No DHCP context has been configured for this subnet selector. Check your DHCP settings. + +## no address range available for DHCP request via `ADDRESS` + +No DHCP context has been configured for this address. Check your DHCP settings. + +## no address range available for DHCP request via `IF_NAME` + +No DHCP context has been configured for this interface. Check your DHCP settings. + +## disabling DHCP static address `ADDRESS` for `HOSTNAME` + +Static DHCP leases are disabled when sending a DHCPDECLINE packet. + +## not using configured address `ADDRESS` because it is leased to `MAC` + +DHCPDISCOVER: Not handing out configured address because it is already actively used to anohter device with hardware address `MAC`. + +## not using configured address `ADDRESS` because it is in use by the server or relay + +Handing out addresses used by known critical infrastructure (like the DHCP server or a relay) is prevented to avoid IP address duplication issues. + +## not using configured address `ADDRESS` because it was previously declined + +As the warning says. Check your log file for reasons of a prior refusal to hand out this lease. This warning is at most logged once every 10 minutes for a given address. + +## cannot send DHCP/BOOTP option `NUMBER`: no space left in packet + +Use less DHCP options as the space for options is limited and cannot be extended (RFC2131). + +## cannot send RFC3925 option: too many options for enterprise number `NUMBER` + +A maximum packet length of 250 bytes has to be ensured for `dhcp-option = vi-encap:13,17,.......` configurations. + +## no address range available for DHCPv6 request from relay at `ADDRESS` + +No DHCPv6 context has been configured for this address. Check your DHCPv6 settings. + +## no address range available for DHCPv6 request via `IF_NAME` + +No DHCPv6 context has been configured for this interface. Check your DHCPv6 settings. + +## disabling DHCP static address `ADDRESS` for `TIME` + +Static DHCPv6 leases are disabled when sending a DHCP(6)DECLINE packet. + +## IPset: error: `MSG` + +A non-critical error was encountered when trying to access an IPset device. A human-readable message explains it further. + +## warning: DIOCRADDADDRS: `MSG` + +A non-critical error was encountered when trying to add an address to an existing `ipset`. A human-readable message explains it further. + +## warning: DIOCRDELADDRS: `MSG` + +A non-critical error was encountered when trying to remove an address from an existing `ipset`. A human-readable message explains it further. diff --git a/mkdocs.yml b/mkdocs.yml index 2f9da9d..4423773 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -111,6 +111,7 @@ nav: - 'Signals': 'ftldns/signals.md' - 'Compatibility': ftldns/compatibility.md - 'Install from source': ftldns/compile.md + - 'dnsmasq warnings': ftldns/dnsmasq_warn.md - 'Debugging FTLDNS': - 'gdb': ftldns/debugging.md - 'valgrind': ftldns/valgrind.md From 33f45ddff6306b6af8ce68f8ce762d5d6bfdc252 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sat, 4 Dec 2021 15:24:46 +0100 Subject: [PATCH 2/5] Review comments Signed-off-by: DL6ER --- docs/ftldns/dnsmasq_warn.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/ftldns/dnsmasq_warn.md b/docs/ftldns/dnsmasq_warn.md index 8830cfb..bc574e1 100644 --- a/docs/ftldns/dnsmasq_warn.md +++ b/docs/ftldns/dnsmasq_warn.md @@ -20,7 +20,7 @@ Lookup for an A record in the cache returned no result. ## `HOSTNAME` is a CNAME, not giving it to the DHCP lease of `ADDRESS` -A hostname claimed by a DHCP client is a known CNAME. `dnsmasq` des +A hostname claimed by a DHCP client is a known CNAME. `dnsmasq` does not allow the DHCP clients to take this name. ## not giving name `HOSTNAME` to the DHCP lease of `ADDRESS` because the name exists in `SOURCE` with address `CACHE_ADDR` @@ -48,7 +48,7 @@ DHCP options specified more than once are ignored. The corresponding option ID i ## `HOSTNAME` has more than one address in hostsfile, using `ADDRESS` for DHCP -Some people like to keep all static IP addresses in `/etc/hosts`. `dnsmasq` goes through `/etc/hosts` and sets static addresses for any DHCP config records which don't have an address and whose name matches qhere `dnsmasq` maintains the invariant that any IP address can appear in at least one DHCP host. +Some people like to keep all static IP addresses in `/etc/hosts`. `dnsmasq` goes through `/etc/hosts` and sets static addresses for any DHCP config records which don't have an address and whose name matches where `dnsmasq` maintains the invariant that any IP address can appear in at least one DHCP host. ## duplicate IP address `ADDRESS` (`HOSTNAME`) in dhcp-config directive @@ -56,7 +56,7 @@ As the warning says. ## cache size greater than 10000 may cause performance issues, and is unlikely to be useful. -This causes the cache to consume a lot on memory and slows down cache lookups. As expiring cache entries naturally make room for new records, a large cache does not give any advantages beyond a certain level. This level is typically not very high. Try reducing the cache. Watch out for cache-evictions. If they are zweo over a long time, your cache is larger than what you need. +This causes the cache to consume a lot on memory and slows down cache lookups. As expiring cache entries naturally make room for new records, a large cache does not give any advantages beyond a certain level. This level is typically not very high. Try reducing the cache. Watch out for cache-evictions. If they are zero over a long time, your cache is larger than what you need. ## warning: failed to change owner of `PIDFILE`: `MSG` @@ -78,11 +78,11 @@ This points to a conflicting configuration that may not behave as expected. Remo Only local names can be answered as no `server=...` lines are defined. -## warning: `TFTP_PREFIX` inaccessible +## warning: `PATH` inaccessible The TFTP prefix (set by `tftp-prefix`) is inaccessible or not a directory. -## warning: TFTP directory %s inaccessible +## warning: TFTP directory `PATH` inaccessible One of the defined TFTP prefix (comma-separated arguments of `tftp-prefix`) is inaccessible or not a directory. @@ -124,7 +124,7 @@ Upstream at address `ADDRESS` is missing the `RA` (recursion available) bit. Thi ## reducing DNS packet size for nameserver `ADDRESS` to `SAFE_PKTSZ` -When receiving anwers from upstream only with a smaller maximum DNS packet size, `dnsmasq` remembers this decision and makes it permanent in the current session. +When receiving answers from upstream only with a smaller maximum DNS packet size, `dnsmasq` remembers this decision and makes it permanent in the current session. ## Ignoring query from non-local network @@ -220,7 +220,7 @@ Use less DHCP options as the space for options is limited and cannot be extended ## cannot send RFC3925 option: too many options for enterprise number `NUMBER` -A maximum packet length of 250 bytes has to be ensured for `dhcp-option = vi-encap:13,17,.......` configurations. +A maximum packet length of 250 bytes has to be ensured for `dhcp-option = vi-encap:13,17,...` configurations. ## no address range available for DHCPv6 request from relay at `ADDRESS` From 5874050eb792c4c68361e62f8f64067dd4a838d4 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sat, 4 Dec 2021 15:39:08 +0100 Subject: [PATCH 3/5] Format warnings without headers Signed-off-by: DL6ER --- docs/ftldns/dnsmasq_warn.md | 122 ++++++++++++++++++------------------ package-lock.json | 12 ++-- 2 files changed, 67 insertions(+), 67 deletions(-) diff --git a/docs/ftldns/dnsmasq_warn.md b/docs/ftldns/dnsmasq_warn.md index bc574e1..480f41f 100644 --- a/docs/ftldns/dnsmasq_warn.md +++ b/docs/ftldns/dnsmasq_warn.md @@ -2,246 +2,246 @@ Warnings commonly seen in `dnsmasq`'s log file (`/var/log/pihole.log`) and the Pi-hole diagnosis system. -## ignoring zone transfer request from `ADDRESS` +> **ignoring zone transfer request from `ADDRESS`** Zone transfer requests (AXFR) are refused *unless* `auth-sec-servers` or `auth-peers` is set. The address requesting the AXFR is logged. -## DHCP request for unsupported hardware type (`X`) received on `Y` +> **DHCP request for unsupported hardware type (`X`) received on `Y`** `dnsmasq` only supports Ethernet on *BSD. The integer `X` describes the hardware type (see `/usr/include/linux/if_arp.h` for definitions). `Y` is the name of the receiving interface. -## Unknown protocol version from route socket +> **Unknown protocol version from route socket** As the warning says. No action is performed in this case. -## No IPv4 address found for `HOSTNAME` +> **No IPv4 address found for `HOSTNAME`** Lookup for an A record in the cache returned no result. -## `HOSTNAME` is a CNAME, not giving it to the DHCP lease of `ADDRESS` +> **`HOSTNAME` is a CNAME, not giving it to the DHCP lease of `ADDRESS`** A hostname claimed by a DHCP client is a known CNAME. `dnsmasq` does not allow the DHCP clients to take this name. -## not giving name `HOSTNAME` to the DHCP lease of `ADDRESS` because the name exists in `SOURCE` with address `CACHE_ADDR` +> **not giving name `HOSTNAME` to the DHCP lease of `ADDRESS` because the name exists in `SOURCE` with address `CACHE_ADDR`** If `HOSTNAME` is known through a HOSTS file or config (see `SOURCE`) and the DHCP address `ADDRESS` does *not* match the address in the cache (`CACHE_ADDR`), `dnsmasq` prevents giving the name to a DHCP client. This prevents possible hostname hijacking by malicious devices. -## unknown interface `IF_NAME` in bridge-interface +> **unknown interface `IF_NAME` in bridge-interface** If the interface on which the DHCPv6 request was received is an alias of some other interface (as specified by the `bridge-interface` option), `dnsmasq` needs to look for DHCPv6 contexts associated with the aliased interface instead of with the aliasing one. This warning complains that the referenced interface does not exist. -## DHCP packet received on `IF_NAME` which has no address +> **DHCP packet received on `IF_NAME` which has no address** No DHCP context has been configured for this interface. Check your DHCP settings. -## Error sending DHCP packet to `ADDRESS`: `MSG` +> **Error sending DHCP packet to `ADDRESS`: `MSG`** This can fail when, e.g., `iptables` `DROPS` destination `255.255.255.255`. Check your firewall settings. -## DHCP range `ADDRESS_FROM` -- `ADDRESS_TO` is not consistent with netmask `SUBNET_MASK` +> **DHCP range `ADDRESS_FROM` -- `ADDRESS_TO` is not consistent with netmask `SUBNET_MASK`** This warning highlights that one of the two addresses is outside of the configured subnet mask. As a consequence, not all addresses may be reachable from configured hosts leading to unexpected behavior on the clients. Make your DHCP settings consistent. -## Ignoring duplicate dhcp-option `OPTNUM` +> **Ignoring duplicate dhcp-option `OPTNUM`** DHCP options specified more than once are ignored. The corresponding option ID is given by `OPTNUM` -## `HOSTNAME` has more than one address in hostsfile, using `ADDRESS` for DHCP +> **`HOSTNAME` has more than one address in hostsfile, using `ADDRESS` for DHCP** Some people like to keep all static IP addresses in `/etc/hosts`. `dnsmasq` goes through `/etc/hosts` and sets static addresses for any DHCP config records which don't have an address and whose name matches where `dnsmasq` maintains the invariant that any IP address can appear in at least one DHCP host. -## duplicate IP address `ADDRESS` (`HOSTNAME`) in dhcp-config directive +> **duplicate IP address `ADDRESS` (`HOSTNAME`) in dhcp-config directive** As the warning says. -## cache size greater than 10000 may cause performance issues, and is unlikely to be useful. +> **cache size greater than 10000 may cause performance issues, and is unlikely to be useful.** This causes the cache to consume a lot on memory and slows down cache lookups. As expiring cache entries naturally make room for new records, a large cache does not give any advantages beyond a certain level. This level is typically not very high. Try reducing the cache. Watch out for cache-evictions. If they are zero over a long time, your cache is larger than what you need. -## warning: failed to change owner of `PIDFILE`: `MSG` +> **warning: failed to change owner of `PIDFILE`: `MSG`** Changing the ownership of the PID file (`PIDFILE`) to the user `dnsmasq` will be running as failed. A descriptive error message (`MSG`) is given to explain why the `chown` failed. -## setting --bind-interfaces option because of OS limitations +> **setting --bind-interfaces option because of OS limitations** Only affects non-Linux builds. `bind-dynamic` is not supported on non-Linux. `dnsmasq` falls back to `bind-interfaces` -## warning: interface `NAME` does not currently exist +> **warning: interface `NAME` does not currently exist** As the warning says. Likely caused by an `interface=NAME` option where the interface `NAME` does not exist. Check if your operating system may have changed from simple (like `eth0`) to predictable (like `enp2s0`) interface names. Update your configuration accordingly. -## warning: ignoring resolv-file flag because no-resolv is set +> **warning: ignoring resolv-file flag because no-resolv is set** This points to a conflicting configuration that may not behave as expected. Remove either the `resolv-file` or the `--no-resolv` option. -## warning: no upstream servers configured +> **warning: no upstream servers configured** Only local names can be answered as no `server=...` lines are defined. -## warning: `PATH` inaccessible +> **warning: `PATH` inaccessible** The TFTP prefix (set by `tftp-prefix`) is inaccessible or not a directory. -## warning: TFTP directory `PATH` inaccessible +> **warning: TFTP directory `PATH` inaccessible** One of the defined TFTP prefix (comma-separated arguments of `tftp-prefix`) is inaccessible or not a directory. -## restricting maximum simultaneous TFTP transfers to `NUMBER` +> **restricting maximum simultaneous TFTP transfers to `NUMBER`** If a limited range of ports is in use, this also limits the number of concurrent TFTP transfers. -## script process killed by signal `SIGNUM` +> **script process killed by signal `SIGNUM`** A script helper was killed by an external signal (`SIGNUM`). -## script process exited with status `EXITCODE` +> **script process exited with status `EXITCODE`** A script helper exited with a non-success return code (`EXITCODE`). -## failed to access `RESOLV_FILE`: `MSG` +> **failed to access `RESOLV_FILE`: `MSG`** This line is logged when `dnsmasq` fails to access one of the files defined through `resolv-file`. This warning is printed only once per file. -## no servers found in `RESOLV_FILE`, will retry +> **no servers found in `RESOLV_FILE`, will retry** The read file was empty. `dnsmasq` will read it again. This warning is printed only once per file. -## Insecure DS reply received for `DOMAIN`, check domain configuration and upstream DNS server DNSSEC support +> **Insecure DS reply received for `DOMAIN`, check domain configuration and upstream DNS server DNSSEC support** A query was marked BOGUS because a DS query could not be validated (returned INSECURE). -## discarding DNS reply: subnet option mismatch +> **discarding DNS reply: subnet option mismatch** When the EDNS0 option `add-subnet` is in use, `dnsmasq` needs to check the reply. If the returned subnet does not match, the reply is treated as invalid. -## nameserver `ADDRESS` refused to do a recursive query +> **nameserver `ADDRESS` refused to do a recursive query** Upstream at address `ADDRESS` is missing the `RA` (recursion available) bit. This warning is printed only once per server. -## possible DNS-rebind attack detected: `NAME` +> **possible DNS-rebind attack detected: `NAME`** `A` and `AAAA` answers are checked against possible rebind attacks when `stop-dns-rebind` is enabled. See `rebind-domain-ok=/domain/` for adding exceptions. -## reducing DNS packet size for nameserver `ADDRESS` to `SAFE_PKTSZ` +> **reducing DNS packet size for nameserver `ADDRESS` to `SAFE_PKTSZ`** When receiving answers from upstream only with a smaller maximum DNS packet size, `dnsmasq` remembers this decision and makes it permanent in the current session. -## Ignoring query from non-local network +> **Ignoring query from non-local network** `dnsmasq` can be configured to only accept queries from at-most-one-hop-away addresses using the option `local-service`. Other queries are discarded in this case. This is ment to be a safe default to keep otherwise unconfigured installations safe. Note that `local-service` is ignored if *any* access-control config is in place (`interface`, `except-interface`, `listen-address` or `auth-server`). -## Maximum number of concurrent DNS queries reached (max: `NUMBER`) +> **Maximum number of concurrent DNS queries reached (max: `NUMBER`)** The configured maximum number of concurrent DNS queries has been reached. The system is either very busy at the moment or not receiving queries from the configured upstream. Check your connectivity or the upstream DNS server status. The warning can also be printed when being spammed with an excessive amount of duplicates. It is printed at most once every five seconds. -## Maximum number of concurrent DNS queries to `DOMAIN` reached (max: `NUMBER`) +> **Maximum number of concurrent DNS queries to `DOMAIN` reached (max: `NUMBER`)** Same as above but for a specific domain. -## ignoring invalid line in lease database: `STRING` `STRING` `STRING` `STRING` ... +> **ignoring invalid line in lease database: `STRING` `STRING` `STRING` `STRING` ...** An invalid line in the lease file has been skipped. -## ignoring invalid line in lease database, bad address: `ADDRESS` +> **ignoring invalid line in lease database, bad address: `ADDRESS`** Address found in the lease file is neither a valid IPv4 nor a valid IPv6 address. The line is skipped. -## Ignoring domain `CONFIG_DOMAIN` for DHCP host name `HOSTNAME` +> **Ignoring domain `CONFIG_DOMAIN` for DHCP host name `HOSTNAME`** A DHCP client is not allowed to claim name `HOSTNAME` in the current DHCP configuration. -## overflow: `NUMBER` log entries lost +> **overflow: `NUMBER` log entries lost** When using asynchroneous logging and the disk is too slow, we can loose log lines during busy times. This can be avoided by decreasing the system load or switching to synchroneous logging. Note that synchroneous logging has the disadvantage of blocking DNS resolution when waiting for the log to be written to disk. -## failed to create listening socket for `ADDRESS`: `MSG` +> **failed to create listening socket for `ADDRESS`: `MSG`** A failure to bind addresses given by `listen-address` is accepted when `dnsmasq` is configured with `bind-dynamic`. -## failed to create listening socket for port `NUMBER`: `MSG` +> **failed to create listening socket for port `NUMBER`: `MSG`** Same as above but for a port rather than an address. -## LOUD WARNING: listening on `ADDRESSS` may accept requests via interfaces other than `IFNAME` +> **LOUD WARNING: listening on `ADDRESSS` may accept requests via interfaces other than `IFNAME`** When using `bind-interfaces`, the only access control is the addresses `dnsmasq` is listening on. There's nothing to avoid a query to the address of an internal interface arriving via an external interface where we don't want to accept queries, except that in the usual case the addresses of internal interfaces are RFC1918. When `bind-interfaces` in use, and we listen on an address that looks like it's probably globally routeable, this warning is printed. -## LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s) +> **LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)** Advise printed when above's warning is printed. This warning is printed only once. -## warning: using interface `IF_NAME` instead +> **warning: using interface `IF_NAME` instead** When configuring an interface alias (like `eth0:0`), `dnsmasq` will be listening on the physical (e.g. `eth0`) interface, instead. -## warning: no addresses found for interface `IF_NAME` +> **warning: no addresses found for interface `IF_NAME`** `dnsmasq` has been configured to listen on an interface that has no address assigned to it. -## ignoring nameserver `ADDRESS` - local interface +> **ignoring nameserver `ADDRESS` - local interface** At least one `server` directive is redundant and point to the `dnsmasq` instance itself. The server is ignored. -## ignoring nameserver `ADDRESS` - cannot make/bind socket: `MSG` +> **ignoring nameserver `ADDRESS` - cannot make/bind socket: `MSG`** `dnsmasq` failed to allocate a socket for the mentioned server. The server is ignored. -## no address range available for DHCP request with subnet selector `SUBNET` +> **no address range available for DHCP request with subnet selector `SUBNET`** No DHCP context has been configured for this subnet selector. Check your DHCP settings. -## no address range available for DHCP request via `ADDRESS` +> **no address range available for DHCP request via `ADDRESS`** No DHCP context has been configured for this address. Check your DHCP settings. -## no address range available for DHCP request via `IF_NAME` +> **no address range available for DHCP request via `IF_NAME`** No DHCP context has been configured for this interface. Check your DHCP settings. -## disabling DHCP static address `ADDRESS` for `HOSTNAME` +> **disabling DHCP static address `ADDRESS` for `HOSTNAME`** Static DHCP leases are disabled when sending a DHCPDECLINE packet. -## not using configured address `ADDRESS` because it is leased to `MAC` +> **not using configured address `ADDRESS` because it is leased to `MAC`** DHCPDISCOVER: Not handing out configured address because it is already actively used to anohter device with hardware address `MAC`. -## not using configured address `ADDRESS` because it is in use by the server or relay +> **not using configured address `ADDRESS` because it is in use by the server or relay** Handing out addresses used by known critical infrastructure (like the DHCP server or a relay) is prevented to avoid IP address duplication issues. -## not using configured address `ADDRESS` because it was previously declined +> **not using configured address `ADDRESS` because it was previously declined** As the warning says. Check your log file for reasons of a prior refusal to hand out this lease. This warning is at most logged once every 10 minutes for a given address. -## cannot send DHCP/BOOTP option `NUMBER`: no space left in packet +> **cannot send DHCP/BOOTP option `NUMBER`: no space left in packet** Use less DHCP options as the space for options is limited and cannot be extended (RFC2131). -## cannot send RFC3925 option: too many options for enterprise number `NUMBER` +> **cannot send RFC3925 option: too many options for enterprise number `NUMBER`** A maximum packet length of 250 bytes has to be ensured for `dhcp-option = vi-encap:13,17,...` configurations. -## no address range available for DHCPv6 request from relay at `ADDRESS` +> **no address range available for DHCPv6 request from relay at `ADDRESS`** No DHCPv6 context has been configured for this address. Check your DHCPv6 settings. -## no address range available for DHCPv6 request via `IF_NAME` +> **no address range available for DHCPv6 request via `IF_NAME`** No DHCPv6 context has been configured for this interface. Check your DHCPv6 settings. -## disabling DHCP static address `ADDRESS` for `TIME` +> **disabling DHCP static address `ADDRESS` for `TIME`** Static DHCPv6 leases are disabled when sending a DHCP(6)DECLINE packet. -## IPset: error: `MSG` +> **IPset: error: `MSG`** A non-critical error was encountered when trying to access an IPset device. A human-readable message explains it further. -## warning: DIOCRADDADDRS: `MSG` +> **warning: DIOCRADDADDRS: `MSG`** A non-critical error was encountered when trying to add an address to an existing `ipset`. A human-readable message explains it further. -## warning: DIOCRDELADDRS: `MSG` +> **warning: DIOCRDELADDRS: `MSG`** A non-critical error was encountered when trying to remove an address from an existing `ipset`. A human-readable message explains it further. diff --git a/package-lock.json b/package-lock.json index 0dadfc6..01c0509 100644 --- a/package-lock.json +++ b/package-lock.json @@ -617,9 +617,9 @@ ] }, "node_modules/domhandler": { - "version": "4.2.2", - "resolved": "https://registry.npmjs.org/domhandler/-/domhandler-4.2.2.tgz", - "integrity": "sha512-PzE9aBMsdZO8TK4BnuJwH0QT41wgMbRzuZrHUcpYncEjmQazq8QEaBWgLG7ZyC/DAZKEgglpIA6j4Qn/HmxS3w==", + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/domhandler/-/domhandler-4.3.0.tgz", + "integrity": "sha512-fC0aXNQXqKSFTr2wDNZDhsEYjCiYsDWl3D01kwt25hm1YIPyDGHvvi3rw+PLqHAl/m71MaiF7d5zvBr0p5UB2g==", "dev": true, "dependencies": { "domelementtype": "^2.2.0" @@ -2861,9 +2861,9 @@ "dev": true }, "domhandler": { - "version": "4.2.2", - "resolved": "https://registry.npmjs.org/domhandler/-/domhandler-4.2.2.tgz", - "integrity": "sha512-PzE9aBMsdZO8TK4BnuJwH0QT41wgMbRzuZrHUcpYncEjmQazq8QEaBWgLG7ZyC/DAZKEgglpIA6j4Qn/HmxS3w==", + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/domhandler/-/domhandler-4.3.0.tgz", + "integrity": "sha512-fC0aXNQXqKSFTr2wDNZDhsEYjCiYsDWl3D01kwt25hm1YIPyDGHvvi3rw+PLqHAl/m71MaiF7d5zvBr0p5UB2g==", "dev": true, "requires": { "domelementtype": "^2.2.0" From 305e62394a58bbf74ee2c81af4f8f3b22a468822 Mon Sep 17 00:00:00 2001 From: DL6ER Date: Sat, 4 Dec 2021 15:49:27 +0100 Subject: [PATCH 4/5] Format dnsmasq warnigns in warning blocks Signed-off-by: DL6ER --- docs/ftldns/dnsmasq_warn.md | 244 ++++++++++++++++++------------------ 1 file changed, 122 insertions(+), 122 deletions(-) diff --git a/docs/ftldns/dnsmasq_warn.md b/docs/ftldns/dnsmasq_warn.md index 480f41f..7da8bb8 100644 --- a/docs/ftldns/dnsmasq_warn.md +++ b/docs/ftldns/dnsmasq_warn.md @@ -2,246 +2,246 @@ Warnings commonly seen in `dnsmasq`'s log file (`/var/log/pihole.log`) and the Pi-hole diagnosis system. -> **ignoring zone transfer request from `ADDRESS`** +!!! warning "ignoring zone transfer request from `ADDRESS`" -Zone transfer requests (AXFR) are refused *unless* `auth-sec-servers` or `auth-peers` is set. The address requesting the AXFR is logged. + Zone transfer requests (AXFR) are refused *unless* `auth-sec-servers` or `auth-peers` is set. The address requesting the AXFR is logged. -> **DHCP request for unsupported hardware type (`X`) received on `Y`** +!!! warning "DHCP request for unsupported hardware type (`X`) received on `Y`" -`dnsmasq` only supports Ethernet on *BSD. The integer `X` describes the hardware type (see `/usr/include/linux/if_arp.h` for definitions). `Y` is the name of the receiving interface. + `dnsmasq` only supports Ethernet on *BSD. The integer `X` describes the hardware type (see `/usr/include/linux/if_arp.h` for definitions). `Y` is the name of the receiving interface. -> **Unknown protocol version from route socket** +!!! warning "Unknown protocol version from route socket" -As the warning says. No action is performed in this case. + As the warning says. No action is performed in this case. -> **No IPv4 address found for `HOSTNAME`** +!!! warning "No IPv4 address found for `HOSTNAME`" -Lookup for an A record in the cache returned no result. + Lookup for an A record in the cache returned no result. -> **`HOSTNAME` is a CNAME, not giving it to the DHCP lease of `ADDRESS`** +!!! warning "`HOSTNAME` is a CNAME, not giving it to the DHCP lease of `ADDRESS`" -A hostname claimed by a DHCP client is a known CNAME. `dnsmasq` does not allow the DHCP clients to take this name. + A hostname claimed by a DHCP client is a known CNAME. `dnsmasq` does not allow the DHCP clients to take this name. -> **not giving name `HOSTNAME` to the DHCP lease of `ADDRESS` because the name exists in `SOURCE` with address `CACHE_ADDR`** +!!! warning "not giving name `HOSTNAME` to the DHCP lease of `ADDRESS` because the name exists in `SOURCE` with address `CACHE_ADDR`" -If `HOSTNAME` is known through a HOSTS file or config (see `SOURCE`) and the DHCP address `ADDRESS` does *not* match the address in the cache (`CACHE_ADDR`), `dnsmasq` prevents giving the name to a DHCP client. This prevents possible hostname hijacking by malicious devices. + If `HOSTNAME` is known through a HOSTS file or config (see `SOURCE`) and the DHCP address `ADDRESS` does *not* match the address in the cache (`CACHE_ADDR`), `dnsmasq` prevents giving the name to a DHCP client. This prevents possible hostname hijacking by malicious devices. -> **unknown interface `IF_NAME` in bridge-interface** +!!! warning "unknown interface `IF_NAME` in bridge-interface" -If the interface on which the DHCPv6 request was received is an alias of some other interface (as specified by the `bridge-interface` option), `dnsmasq` needs to look for DHCPv6 contexts associated with the aliased interface instead of with the aliasing one. This warning complains that the referenced interface does not exist. + If the interface on which the DHCPv6 request was received is an alias of some other interface (as specified by the `bridge-interface` option), `dnsmasq` needs to look for DHCPv6 contexts associated with the aliased interface instead of with the aliasing one. This warning complains that the referenced interface does not exist. -> **DHCP packet received on `IF_NAME` which has no address** +!!! warning "DHCP packet received on `IF_NAME` which has no address" -No DHCP context has been configured for this interface. Check your DHCP settings. + No DHCP context has been configured for this interface. Check your DHCP settings. -> **Error sending DHCP packet to `ADDRESS`: `MSG`** +!!! warning "Error sending DHCP packet to `ADDRESS`: `MSG`" -This can fail when, e.g., `iptables` `DROPS` destination `255.255.255.255`. Check your firewall settings. + This can fail when, e.g., `iptables` `DROPS` destination `255.255.255.255`. Check your firewall settings. -> **DHCP range `ADDRESS_FROM` -- `ADDRESS_TO` is not consistent with netmask `SUBNET_MASK`** +!!! warning "DHCP range `ADDRESS_FROM` -- `ADDRESS_TO` is not consistent with netmask `SUBNET_MASK`" -This warning highlights that one of the two addresses is outside of the configured subnet mask. As a consequence, not all addresses may be reachable from configured hosts leading to unexpected behavior on the clients. Make your DHCP settings consistent. + This warning highlights that one of the two addresses is outside of the configured subnet mask. As a consequence, not all addresses may be reachable from configured hosts leading to unexpected behavior on the clients. Make your DHCP settings consistent. -> **Ignoring duplicate dhcp-option `OPTNUM`** +!!! warning "Ignoring duplicate dhcp-option `OPTNUM`" -DHCP options specified more than once are ignored. The corresponding option ID is given by `OPTNUM` + DHCP options specified more than once are ignored. The corresponding option ID is given by `OPTNUM` -> **`HOSTNAME` has more than one address in hostsfile, using `ADDRESS` for DHCP** +!!! warning "`HOSTNAME` has more than one address in hostsfile, using `ADDRESS` for DHCP" -Some people like to keep all static IP addresses in `/etc/hosts`. `dnsmasq` goes through `/etc/hosts` and sets static addresses for any DHCP config records which don't have an address and whose name matches where `dnsmasq` maintains the invariant that any IP address can appear in at least one DHCP host. + Some people like to keep all static IP addresses in `/etc/hosts`. `dnsmasq` goes through `/etc/hosts` and sets static addresses for any DHCP config records which don't have an address and whose name matches where `dnsmasq` maintains the invariant that any IP address can appear in at least one DHCP host. -> **duplicate IP address `ADDRESS` (`HOSTNAME`) in dhcp-config directive** +!!! warning "duplicate IP address `ADDRESS` (`HOSTNAME`) in dhcp-config directive" -As the warning says. + As the warning says. -> **cache size greater than 10000 may cause performance issues, and is unlikely to be useful.** +!!! warning "cache size greater than 10000 may cause performance issues, and is unlikely to be useful." -This causes the cache to consume a lot on memory and slows down cache lookups. As expiring cache entries naturally make room for new records, a large cache does not give any advantages beyond a certain level. This level is typically not very high. Try reducing the cache. Watch out for cache-evictions. If they are zero over a long time, your cache is larger than what you need. + This causes the cache to consume a lot on memory and slows down cache lookups. As expiring cache entries naturally make room for new records, a large cache does not give any advantages beyond a certain level. This level is typically not very high. Try reducing the cache. Watch out for cache-evictions. If they are zero over a long time, your cache is larger than what you need. -> **warning: failed to change owner of `PIDFILE`: `MSG`** +!!! warning "warning: failed to change owner of `PIDFILE`: `MSG`" -Changing the ownership of the PID file (`PIDFILE`) to the user `dnsmasq` will be running as failed. A descriptive error message (`MSG`) is given to explain why the `chown` failed. + Changing the ownership of the PID file (`PIDFILE`) to the user `dnsmasq` will be running as failed. A descriptive error message (`MSG`) is given to explain why the `chown` failed. -> **setting --bind-interfaces option because of OS limitations** +!!! warning "setting --bind-interfaces option because of OS limitations" -Only affects non-Linux builds. `bind-dynamic` is not supported on non-Linux. `dnsmasq` falls back to `bind-interfaces` + Only affects non-Linux builds. `bind-dynamic` is not supported on non-Linux. `dnsmasq` falls back to `bind-interfaces` -> **warning: interface `NAME` does not currently exist** +!!! warning "warning: interface `NAME` does not currently exist" -As the warning says. Likely caused by an `interface=NAME` option where the interface `NAME` does not exist. Check if your operating system may have changed from simple (like `eth0`) to predictable (like `enp2s0`) interface names. Update your configuration accordingly. + As the warning says. Likely caused by an `interface=NAME` option where the interface `NAME` does not exist. Check if your operating system may have changed from simple (like `eth0`) to predictable (like `enp2s0`) interface names. Update your configuration accordingly. -> **warning: ignoring resolv-file flag because no-resolv is set** +!!! warning "warning: ignoring resolv-file flag because no-resolv is set" -This points to a conflicting configuration that may not behave as expected. Remove either the `resolv-file` or the `--no-resolv` option. + This points to a conflicting configuration that may not behave as expected. Remove either the `resolv-file` or the `--no-resolv` option. -> **warning: no upstream servers configured** +!!! warning "warning: no upstream servers configured" -Only local names can be answered as no `server=...` lines are defined. + Only local names can be answered as no `server=...` lines are defined. -> **warning: `PATH` inaccessible** +!!! warning "warning: `PATH` inaccessible" -The TFTP prefix (set by `tftp-prefix`) is inaccessible or not a directory. + The TFTP prefix (set by `tftp-prefix`) is inaccessible or not a directory. -> **warning: TFTP directory `PATH` inaccessible** +!!! warning "warning: TFTP directory `PATH` inaccessible" -One of the defined TFTP prefix (comma-separated arguments of `tftp-prefix`) is inaccessible or not a directory. + One of the defined TFTP prefix (comma-separated arguments of `tftp-prefix`) is inaccessible or not a directory. -> **restricting maximum simultaneous TFTP transfers to `NUMBER`** +!!! warning "restricting maximum simultaneous TFTP transfers to `NUMBER`" -If a limited range of ports is in use, this also limits the number of concurrent TFTP transfers. + If a limited range of ports is in use, this also limits the number of concurrent TFTP transfers. -> **script process killed by signal `SIGNUM`** +!!! warning "script process killed by signal `SIGNUM`" -A script helper was killed by an external signal (`SIGNUM`). + A script helper was killed by an external signal (`SIGNUM`). -> **script process exited with status `EXITCODE`** +!!! warning "script process exited with status `EXITCODE`" -A script helper exited with a non-success return code (`EXITCODE`). + A script helper exited with a non-success return code (`EXITCODE`). -> **failed to access `RESOLV_FILE`: `MSG`** +!!! warning "failed to access `RESOLV_FILE`: `MSG`" -This line is logged when `dnsmasq` fails to access one of the files defined through `resolv-file`. This warning is printed only once per file. + This line is logged when `dnsmasq` fails to access one of the files defined through `resolv-file`. This warning is printed only once per file. -> **no servers found in `RESOLV_FILE`, will retry** +!!! warning "no servers found in `RESOLV_FILE`, will retry" -The read file was empty. `dnsmasq` will read it again. This warning is printed only once per file. + The read file was empty. `dnsmasq` will read it again. This warning is printed only once per file. -> **Insecure DS reply received for `DOMAIN`, check domain configuration and upstream DNS server DNSSEC support** +!!! warning "Insecure DS reply received for `DOMAIN`, check domain configuration and upstream DNS server DNSSEC support" -A query was marked BOGUS because a DS query could not be validated (returned INSECURE). + A query was marked BOGUS because a DS query could not be validated (returned INSECURE). -> **discarding DNS reply: subnet option mismatch** +!!! warning "discarding DNS reply: subnet option mismatch" -When the EDNS0 option `add-subnet` is in use, `dnsmasq` needs to check the reply. If the returned subnet does not match, the reply is treated as invalid. + When the EDNS0 option `add-subnet` is in use, `dnsmasq` needs to check the reply. If the returned subnet does not match, the reply is treated as invalid. -> **nameserver `ADDRESS` refused to do a recursive query** +!!! warning "nameserver `ADDRESS` refused to do a recursive query" -Upstream at address `ADDRESS` is missing the `RA` (recursion available) bit. This warning is printed only once per server. + Upstream at address `ADDRESS` is missing the `RA` (recursion available) bit. This warning is printed only once per server. -> **possible DNS-rebind attack detected: `NAME`** +!!! warning "possible DNS-rebind attack detected: `NAME`" -`A` and `AAAA` answers are checked against possible rebind attacks when `stop-dns-rebind` is enabled. See `rebind-domain-ok=/domain/` for adding exceptions. + `A` and `AAAA` answers are checked against possible rebind attacks when `stop-dns-rebind` is enabled. See `rebind-domain-ok=/domain/` for adding exceptions. -> **reducing DNS packet size for nameserver `ADDRESS` to `SAFE_PKTSZ`** +!!! warning "reducing DNS packet size for nameserver `ADDRESS` to `SAFE_PKTSZ`" -When receiving answers from upstream only with a smaller maximum DNS packet size, `dnsmasq` remembers this decision and makes it permanent in the current session. + When receiving answers from upstream only with a smaller maximum DNS packet size, `dnsmasq` remembers this decision and makes it permanent in the current session. -> **Ignoring query from non-local network** +!!! warning "Ignoring query from non-local network" -`dnsmasq` can be configured to only accept queries from at-most-one-hop-away addresses using the option `local-service`. Other queries are discarded in this case. This is ment to be a safe default to keep otherwise unconfigured installations safe. Note that `local-service` is ignored if *any* access-control config is in place (`interface`, `except-interface`, `listen-address` or `auth-server`). + `dnsmasq` can be configured to only accept queries from at-most-one-hop-away addresses using the option `local-service`. Other queries are discarded in this case. This is ment to be a safe default to keep otherwise unconfigured installations safe. Note that `local-service` is ignored if *any* access-control config is in place (`interface`, `except-interface`, `listen-address` or `auth-server`). -> **Maximum number of concurrent DNS queries reached (max: `NUMBER`)** +!!! warning "Maximum number of concurrent DNS queries reached (max: `NUMBER`)" -The configured maximum number of concurrent DNS queries has been reached. The system is either very busy at the moment or not receiving queries from the configured upstream. Check your connectivity or the upstream DNS server status. The warning can also be printed when being spammed with an excessive amount of duplicates. It is printed at most once every five seconds. + The configured maximum number of concurrent DNS queries has been reached. The system is either very busy at the moment or not receiving queries from the configured upstream. Check your connectivity or the upstream DNS server status. The warning can also be printed when being spammed with an excessive amount of duplicates. It is printed at most once every five seconds. -> **Maximum number of concurrent DNS queries to `DOMAIN` reached (max: `NUMBER`)** +!!! warning "Maximum number of concurrent DNS queries to `DOMAIN` reached (max: `NUMBER`)" -Same as above but for a specific domain. + Same as above but for a specific domain. -> **ignoring invalid line in lease database: `STRING` `STRING` `STRING` `STRING` ...** +!!! warning "ignoring invalid line in lease database: `STRING` `STRING` `STRING` `STRING` ..." -An invalid line in the lease file has been skipped. + An invalid line in the lease file has been skipped. -> **ignoring invalid line in lease database, bad address: `ADDRESS`** +!!! warning "ignoring invalid line in lease database, bad address: `ADDRESS`" -Address found in the lease file is neither a valid IPv4 nor a valid IPv6 address. The line is skipped. + Address found in the lease file is neither a valid IPv4 nor a valid IPv6 address. The line is skipped. -> **Ignoring domain `CONFIG_DOMAIN` for DHCP host name `HOSTNAME`** +!!! warning "Ignoring domain `CONFIG_DOMAIN` for DHCP host name `HOSTNAME`" -A DHCP client is not allowed to claim name `HOSTNAME` in the current DHCP configuration. + A DHCP client is not allowed to claim name `HOSTNAME` in the current DHCP configuration. -> **overflow: `NUMBER` log entries lost** +!!! warning "overflow: `NUMBER` log entries lost" -When using asynchroneous logging and the disk is too slow, we can loose log lines during busy times. This can be avoided by decreasing the system load or switching to synchroneous logging. Note that synchroneous logging has the disadvantage of blocking DNS resolution when waiting for the log to be written to disk. + When using asynchroneous logging and the disk is too slow, we can loose log lines during busy times. This can be avoided by decreasing the system load or switching to synchroneous logging. Note that synchroneous logging has the disadvantage of blocking DNS resolution when waiting for the log to be written to disk. -> **failed to create listening socket for `ADDRESS`: `MSG`** +!!! warning "failed to create listening socket for `ADDRESS`: `MSG`" -A failure to bind addresses given by `listen-address` is accepted when `dnsmasq` is configured with `bind-dynamic`. + A failure to bind addresses given by `listen-address` is accepted when `dnsmasq` is configured with `bind-dynamic`. -> **failed to create listening socket for port `NUMBER`: `MSG`** +!!! warning "failed to create listening socket for port `NUMBER`: `MSG`" -Same as above but for a port rather than an address. + Same as above but for a port rather than an address. -> **LOUD WARNING: listening on `ADDRESSS` may accept requests via interfaces other than `IFNAME`** +!!! warning "LOUD WARNING: listening on `ADDRESSS` may accept requests via interfaces other than `IFNAME`" -When using `bind-interfaces`, the only access control is the addresses `dnsmasq` is listening on. There's nothing to avoid a query to the address of an internal interface arriving via an external interface where we don't want to accept queries, except that in the usual case the addresses of internal interfaces are RFC1918. When `bind-interfaces` in use, and we listen on an address that looks like it's probably globally routeable, this warning is printed. + When using `bind-interfaces`, the only access control is the addresses `dnsmasq` is listening on. There's nothing to avoid a query to the address of an internal interface arriving via an external interface where we don't want to accept queries, except that in the usual case the addresses of internal interfaces are RFC1918. When `bind-interfaces` in use, and we listen on an address that looks like it's probably globally routeable, this warning is printed. -> **LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)** +!!! warning "LOUD WARNING: use --bind-dynamic rather than --bind-interfaces to avoid DNS amplification attacks via these interface(s)" -Advise printed when above's warning is printed. This warning is printed only once. + Advise printed when above's warning is printed. This warning is printed only once. -> **warning: using interface `IF_NAME` instead** +!!! warning "warning: using interface `IF_NAME` instead" -When configuring an interface alias (like `eth0:0`), `dnsmasq` will be listening on the physical (e.g. `eth0`) interface, instead. + When configuring an interface alias (like `eth0:0`), `dnsmasq` will be listening on the physical (e.g. `eth0`) interface, instead. -> **warning: no addresses found for interface `IF_NAME`** +!!! warning "warning: no addresses found for interface `IF_NAME`" -`dnsmasq` has been configured to listen on an interface that has no address assigned to it. + `dnsmasq` has been configured to listen on an interface that has no address assigned to it. -> **ignoring nameserver `ADDRESS` - local interface** +!!! warning "ignoring nameserver `ADDRESS` - local interface" -At least one `server` directive is redundant and point to the `dnsmasq` instance itself. The server is ignored. + At least one `server` directive is redundant and point to the `dnsmasq` instance itself. The server is ignored. -> **ignoring nameserver `ADDRESS` - cannot make/bind socket: `MSG`** +!!! warning "ignoring nameserver `ADDRESS` - cannot make/bind socket: `MSG`" -`dnsmasq` failed to allocate a socket for the mentioned server. The server is ignored. + `dnsmasq` failed to allocate a socket for the mentioned server. The server is ignored. -> **no address range available for DHCP request with subnet selector `SUBNET`** +!!! warning "no address range available for DHCP request with subnet selector `SUBNET`" -No DHCP context has been configured for this subnet selector. Check your DHCP settings. + No DHCP context has been configured for this subnet selector. Check your DHCP settings. -> **no address range available for DHCP request via `ADDRESS`** +!!! warning "no address range available for DHCP request via `ADDRESS`" -No DHCP context has been configured for this address. Check your DHCP settings. + No DHCP context has been configured for this address. Check your DHCP settings. -> **no address range available for DHCP request via `IF_NAME`** +!!! warning "no address range available for DHCP request via `IF_NAME`" -No DHCP context has been configured for this interface. Check your DHCP settings. + No DHCP context has been configured for this interface. Check your DHCP settings. -> **disabling DHCP static address `ADDRESS` for `HOSTNAME`** +!!! warning "disabling DHCP static address `ADDRESS` for `HOSTNAME`" -Static DHCP leases are disabled when sending a DHCPDECLINE packet. + Static DHCP leases are disabled when sending a DHCPDECLINE packet. -> **not using configured address `ADDRESS` because it is leased to `MAC`** +!!! warning "not using configured address `ADDRESS` because it is leased to `MAC`" -DHCPDISCOVER: Not handing out configured address because it is already actively used to anohter device with hardware address `MAC`. + DHCPDISCOVER: Not handing out configured address because it is already actively used to anohter device with hardware address `MAC`. -> **not using configured address `ADDRESS` because it is in use by the server or relay** +!!! warning "not using configured address `ADDRESS` because it is in use by the server or relay" -Handing out addresses used by known critical infrastructure (like the DHCP server or a relay) is prevented to avoid IP address duplication issues. + Handing out addresses used by known critical infrastructure (like the DHCP server or a relay) is prevented to avoid IP address duplication issues. -> **not using configured address `ADDRESS` because it was previously declined** +!!! warning "not using configured address `ADDRESS` because it was previously declined" -As the warning says. Check your log file for reasons of a prior refusal to hand out this lease. This warning is at most logged once every 10 minutes for a given address. + As the warning says. Check your log file for reasons of a prior refusal to hand out this lease. This warning is at most logged once every 10 minutes for a given address. -> **cannot send DHCP/BOOTP option `NUMBER`: no space left in packet** +!!! warning "cannot send DHCP/BOOTP option `NUMBER`: no space left in packet" -Use less DHCP options as the space for options is limited and cannot be extended (RFC2131). + Use less DHCP options as the space for options is limited and cannot be extended (RFC2131). -> **cannot send RFC3925 option: too many options for enterprise number `NUMBER`** +!!! warning "cannot send RFC3925 option: too many options for enterprise number `NUMBER`" -A maximum packet length of 250 bytes has to be ensured for `dhcp-option = vi-encap:13,17,...` configurations. + A maximum packet length of 250 bytes has to be ensured for `dhcp-option = vi-encap:13,17,...` configurations. -> **no address range available for DHCPv6 request from relay at `ADDRESS`** +!!! warning "no address range available for DHCPv6 request from relay at `ADDRESS`" -No DHCPv6 context has been configured for this address. Check your DHCPv6 settings. + No DHCPv6 context has been configured for this address. Check your DHCPv6 settings. -> **no address range available for DHCPv6 request via `IF_NAME`** +!!! warning "no address range available for DHCPv6 request via `IF_NAME`" -No DHCPv6 context has been configured for this interface. Check your DHCPv6 settings. + No DHCPv6 context has been configured for this interface. Check your DHCPv6 settings. -> **disabling DHCP static address `ADDRESS` for `TIME`** +!!! warning "disabling DHCP static address `ADDRESS` for `TIME`" -Static DHCPv6 leases are disabled when sending a DHCP(6)DECLINE packet. + Static DHCPv6 leases are disabled when sending a DHCP(6)DECLINE packet. -> **IPset: error: `MSG`** +!!! warning "IPset: error: `MSG`" -A non-critical error was encountered when trying to access an IPset device. A human-readable message explains it further. + A non-critical error was encountered when trying to access an IPset device. A human-readable message explains it further. -> **warning: DIOCRADDADDRS: `MSG`** +!!! warning "warning: DIOCRADDADDRS: `MSG`" -A non-critical error was encountered when trying to add an address to an existing `ipset`. A human-readable message explains it further. + A non-critical error was encountered when trying to add an address to an existing `ipset`. A human-readable message explains it further. -> **warning: DIOCRDELADDRS: `MSG`** +!!! warning "warning: DIOCRDELADDRS: `MSG`" -A non-critical error was encountered when trying to remove an address from an existing `ipset`. A human-readable message explains it further. + A non-critical error was encountered when trying to remove an address from an existing `ipset`. A human-readable message explains it further. From f1d141578965aef709ccd9395c32419f0c99653a Mon Sep 17 00:00:00 2001 From: Dan Schaper Date: Wed, 15 Dec 2021 02:04:08 -0800 Subject: [PATCH 5/5] Update docs/ftldns/dnsmasq_warn.md --- docs/ftldns/dnsmasq_warn.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ftldns/dnsmasq_warn.md b/docs/ftldns/dnsmasq_warn.md index 7da8bb8..fd16646 100644 --- a/docs/ftldns/dnsmasq_warn.md +++ b/docs/ftldns/dnsmasq_warn.md @@ -1,7 +1,7 @@ # Known `dnsmasq` warnings Warnings commonly seen in `dnsmasq`'s log file (`/var/log/pihole.log`) and the Pi-hole diagnosis system. - + !!! warning "ignoring zone transfer request from `ADDRESS`" Zone transfer requests (AXFR) are refused *unless* `auth-sec-servers` or `auth-peers` is set. The address requesting the AXFR is logged.